Presentation is loading. Please wait.

Presentation is loading. Please wait.

Rennes, 23/10/2014 Cristina Onete Commitment Schemes and Identification/Authentication.

Similar presentations


Presentation on theme: "Rennes, 23/10/2014 Cristina Onete Commitment Schemes and Identification/Authentication."— Presentation transcript:

1 Rennes, 23/10/2014 Cristina Onete Commitment Schemes and Identification/Authentication

2  Commitment Schemes AliceBob  Example : Alice and Bob must agree who will clean tonight They are at their offices. Each tosses a coin & they call:  If tosses are the same, then Alice cleans  If tosses are different, then Bob cleans Who talks first? Bob Alice Cristina Onete || 24/10/2014 || 2

3  Commitment Schemes Alice Bob  Alice and Bob toss Alice talks first Bob talks first Bob Alice  How can we avoid this? Bob says he tossed the same value Alice says she tossed the opposite value Cristina Onete || 24/10/2014 || 3

4  Commitment Schemes AliceBob  Commitment: an envelope with a strange seal Alice talks first Commit phase: she hides toss in envelope, gives it to Bob Reveal phase: Alice tells Bob how to unseal envelope Bob reveals toss Bob cleans Cristina Onete || 24/10/2014 || 4

5  Commitment Schemes AliceBob  Properties: Hiding: The content of the envelope is not visible Bob doesn’t know anything about Alice’s toss Binding: Alice can’t change the content in the envelope Alice can’t cheat after getting Bob’s toss Cristina Onete || 24/10/2014 || 5

6  Commitment Schemes Alice Bob  Formally:  Commitment hiding: ……………………  Commitment binding: Cristina Onete || 24/10/2014 || 6

7  Pedersen Commitments AliceBob …………………… Impossible Cristina Onete || 24/10/2014 || 7

8  Pedersen Commitments AliceBob ……………………  Hiding: Cristina Onete || 24/10/2014 || 8

9  DLog-based Commitments AliceBob ……………………  Computationally hiding: DLog  Perfectly binding by construction Cristina Onete || 24/10/2014 || 9

10  Cristina Onete || 25/09/2014 || 10 Exercise 1  Consider a hash function H  Use the commitment scheme  Is this commitment binding if H is one-way?  If H is one-way, is this commitment hiding?

11  Cristina Onete || 25/09/2014 || 11 Exercise 2  Use the commitment scheme  Is this commitment binding?  Is this commitment hiding?  What happens if the value s is known?

12  Cristina Onete || 25/09/2014 || 12 Exercise 3  Use the commitment scheme  Is this commitment hiding?  Is this commitment binding?

13  Cristina Onete || 25/09/2014 || 13 Identification & Authentication ProverVerifier  Goal (identification) : The prover wants to convince the verifier she is who she pre- tends to be Example: interview/application/exam  Goal (authentication) : Prover wants to prove she’s legitimate Example: owner of a house, student at University, etc ID

14  Cristina Onete || 25/09/2014 || 14 Challenge-Response  Two-move protocol Verifier starts, sending a challenge Prover sends a response Based on the challenge-response, the verifier must make his decision ProverVerifier challenge response

15  Cristina Onete || 25/09/2014 || 15 Challenge-Response Prover Verifier challenge response  Symmetric authentication: Verifier stores a keyring of many keys (each corresponding to one prover) Goal of challenge-response: verifier can decide whether the prover is legitimate or not Shared Property 1: a legitimate prover can always authenticate Property 2: an illegitimate prover can never authenticate

16  Cristina Onete || 25/09/2014 || 16 Challenge-Response Prover Verifier challenge response Shared  Exercise 4: Can the set of possible challenges be small?

17  Cristina Onete || 25/09/2014 || 17 Challenge-Response Prover Verifier challenge response  Exercise 5: Design a challenge-response protocol using a symmetric encryption function Now use a PK encryption scheme Use a pseudo-random hash function Now use a signature scheme Use a commitment scheme and a 1-way hash function

18  Cristina Onete || 25/09/2014 || 18 Exercises  Exercise 6: Prover Verifier Use the protocol above, assuming the hash function produ- ces pseudo-random outputs What is a simple denial-of-service attack that an attacker can run against a verifier who stores very many keys?

19  Cristina Onete || 25/09/2014 || 19 Exercises Prover Verifier  Exercise 7: A mutual authentication protocol is one in which both parties can verify the legitimacy of their partner Start from a basic 2-move challenge-response protocol. Can you think of a 3-move protocol that ensures MUTUAL authentication? Design a mutual authentication protocol using only a (keyed) hash function. What are the required properties?

20 CIDRE Thanks!


Download ppt "Rennes, 23/10/2014 Cristina Onete Commitment Schemes and Identification/Authentication."

Similar presentations


Ads by Google